{ "id": "6545bb83-824f-441f-a831-f86da86d2097", "created_at": "2026-04-06T00:07:03.416406Z", "updated_at": "2026-04-10T03:37:09.434696Z", "deleted_at": null, "sha1_hash": "a2710c18445d5c7af651b96fe114bede96f857b5", "title": "Technical Analysis of the WhisperGate Malicious Bootloader | CrowdStrike", "llm_title": "", "authors": "", "file_creation_date": "0001-01-01T00:00:00Z", "file_modification_date": "0001-01-01T00:00:00Z", "file_size": 496077, "plain_text": "Technical Analysis of the WhisperGate Malicious Bootloader |\r\nCrowdStrike\r\nBy CrowdStrike Intelligence Team\r\nArchived: 2026-04-05 23:33:41 UTC\r\nOn Jan. 15, 2022, a set of malware dubbed WhisperGate was reported to have been deployed against Ukrainian\r\ntargets. The incident is widely reported to contain three individual components deployed by the same adversary,\r\nincluding a malicious bootloader that corrupts detected local disks, a Discord-based downloader and a file wiper.\r\nThe activity occurred at approximately the same time multiple websites belonging to the Ukrainian government\r\nwere defaced. This blog covers the malicious bootloader in more detail.\r\nDetails\r\nThe installer component for the bootloader has an SHA256 hash of\r\na196c6b8ffcb97ffb276d04f354696e2391311db3841ae16c8c9f56f36a38e92 and contains a build timestamp of\r\n2022-01-10 10:37:18 UTC. It was built using MinGW, similar to the file-wiper component. This component\r\noverwrites the master boot record (MBR) of an infected host with a malicious 16-bit bootloader with a SHA256\r\nhash of 44ffe353e01d6b894dc7ebe686791aa87fc9c7fd88535acc274f61c2cf74f5b8 that displays a ransom note\r\nwhen the host boots (Figure 1) and, at the same time, performs destructive operations on the infected host’s hard\r\ndrives.\r\nFigure 1. Fake ransom note\r\nThe destructive wiping operation has the following pseudocode:\r\nfor i_disk between 0 and total_detected_disk_count do\r\n for i_sector between 1 and total_disk_sector_count, i_sector += 199, do\r\n overwrite disk i_disk at sector i_sector with hardcoded data\r\n done\r\ndone\r\nhttps://www.crowdstrike.com/blog/technical-analysis-of-whispergate-malware/\r\nPage 1 of 3\n\nAt periodic offsets, the bootloader overwrites sectors of an infected host’s entire hard drive, with a message\r\nsimilar to the ransom note, padded with additional bytes (Figure 2).\r\nFigure 2. Hexadecimal dump of the pattern written to the disks of an infected host\r\nThe data consists of the string AAAAA , the index of the infected drive, the ransom note and the MBR footer magic\r\nvalue 55 AA , followed by two null bytes. The bootloader accesses the disk via BIOS interrupt 13h in logical\r\nblock addressing (LBA) mode and overwrites every 199th sector until the end of the disk is reached. After a disk\r\nis corrupted, the malware overwrites the next in the detected disk list. This process is unsophisticated but\r\nreminiscent of the more evolved implementation of NotPetya’s malicious MBR that masqueraded as the legitimate\r\nchkdsk disk-repair utility while actually corrupting the infected host’s file system. The bootloader installer does\r\nnot initiate a reboot of the infected system, as has been observed in past intrusions such as BadRabbit and\r\nNotPetya. The lack of forced reboot suggests the threat actor took other steps to initiate it (e.g., via a different\r\nimplant) or decided to let users perform the reboot themselves. A delayed reboot may allow other components of\r\nthe WhisperGate intrusion to run (e.g., the file wiper).\r\nAssessment\r\nThe WhisperGate bootloader malware complements its file-wiper counterpart. Both aim to irrevocably corrupt the\r\ninfected hosts’ data and attempt to masquerade as genuine modern ransomware operations. However, the\r\nWhisperGate bootloader has no decryption or data-recovery mechanism, and has inconsistencies with malware\r\ncommonly deployed in ransomware operations. The displayed message suggests victims can expect recovery of\r\ntheir data, but this is technically unachievable. These inconsistencies very likely indicate that WhisperGate\r\nhttps://www.crowdstrike.com/blog/technical-analysis-of-whispergate-malware/\r\nPage 2 of 3\n\nactivity aims to destroy data on the impacted assets. This assessment is made with moderate confidence as\r\ntechnical analysis of the WhisperGate activity continues. The activity is reminiscent of VOODOO BEAR’s\r\ndestructive NotPetya malware, which included a component impersonating the legitimate chkdsk utility after a\r\nreboot and corrupted the infected host’s Master File Table (MFT) — a critical component of Microsoft’s NTFS\r\nfile system. However, the WhisperGate bootloader is less sophisticated, and no technical overlap could currently\r\nbe identified with VOODOO BEAR operations.\r\nCrowdStrike Intelligence Confidence Assessment\r\nHigh Confidence: Judgments are based on high-quality information from multiple sources. High confidence in\r\nthe quality and quantity of source information supporting a judgment does not imply that that assessment is an\r\nabsolute certainty or fact. The judgment still has a marginal probability of being inaccurate. Moderate\r\nConfidence: Judgments are based on information that is credibly sourced and plausible, but not of sufficient\r\nquantity or corroborated sufficiently to warrant a higher level of confidence. This level of confidence is used to\r\nexpress that judgments carry an increased probability of being incorrect until more information is available or\r\ncorroborated. Low Confidence: Judgments are made where the credibility of the source is uncertain, the\r\ninformation is too fragmented or poorly corroborated enough to make solid analytic inferences, or the reliability of\r\nthe source is untested. Further information is needed for corroboration of the information or to fill known\r\nintelligence gaps.\r\nAdditional Resources\r\nFind out how to stop adversaries targeting your industry — schedule a free 1:1 intel briefing with a\r\nCrowdStrike threat intelligence expert today.\r\nLearn about the powerful, cloud-native CrowdStrike Falcon® platform by visiting the product webpage.\r\nGet a full-featured free trial of CrowdStrike Falcon® Prevent™ to see for yourself how true next-gen AV\r\nperforms against today’s most sophisticated threats.\r\nSource: https://www.crowdstrike.com/blog/technical-analysis-of-whispergate-malware/\r\nhttps://www.crowdstrike.com/blog/technical-analysis-of-whispergate-malware/\r\nPage 3 of 3", "extraction_quality": 1, "language": "EN", "sources": [ "Malpedia" ], "references": [ "https://www.crowdstrike.com/blog/technical-analysis-of-whispergate-malware/" ], "report_names": [ "technical-analysis-of-whispergate-malware" ], "threat_actors": [ { "id": "8941e146-3e7f-4b4e-9b66-c2da052ee6df", "created_at": "2023-01-06T13:46:38.402513Z", "updated_at": "2026-04-10T02:00:02.959797Z", "deleted_at": null, "main_name": "Sandworm", "aliases": [ "IRIDIUM", "Blue Echidna", "VOODOO BEAR", "FROZENBARENTS", "UAC-0113", "Seashell Blizzard", "UAC-0082", "APT44", "Quedagh", "TEMP.Noble", "IRON VIKING", "G0034", "ELECTRUM", "TeleBots" ], "source_name": "MISPGALAXY:Sandworm", "tools": [], "source_id": "MISPGALAXY", "reports": null }, { "id": "7bd810cb-d674-4763-86eb-2cc182d24ea0", "created_at": "2022-10-25T16:07:24.1537Z", "updated_at": "2026-04-10T02:00:04.883793Z", "deleted_at": null, "main_name": "Sandworm Team", "aliases": [ "APT 44", "ATK 14", "BE2", "Blue Echidna", "CTG-7263", "FROZENBARENTS", "G0034", "Grey Tornado", "IRIDIUM", "Iron Viking", "Quedagh", "Razing Ursa", "Sandworm", "Sandworm Team", "Seashell Blizzard", "TEMP.Noble", "UAC-0082", "UAC-0113", "UAC-0125", "UAC-0133", "Voodoo Bear" ], "source_name": "ETDA:Sandworm Team", "tools": [ "AWFULSHRED", "ArguePatch", "BIASBOAT", "Black Energy", "BlackEnergy", "CaddyWiper", "Colibri Loader", "Cyclops Blink", "CyclopsBlink", "DCRat", "DarkCrystal RAT", "Fobushell", "GOSSIPFLOW", "Gcat", "IcyWell", "Industroyer2", "JaguarBlade", "JuicyPotato", "Kapeka", "KillDisk.NCX", "LOADGRIP", "LOLBAS", "LOLBins", "Living off the Land", "ORCSHRED", "P.A.S.", "PassKillDisk", "Pitvotnacci", "PsList", "QUEUESEED", "RansomBoggs", "RottenPotato", "SOLOSHRED", "SwiftSlicer", "VPNFilter", "Warzone", "Warzone RAT", "Weevly" ], "source_id": "ETDA", "reports": null }, { "id": "a66438a8-ebf6-4397-9ad5-ed07f93330aa", "created_at": "2022-10-25T16:47:55.919702Z", "updated_at": "2026-04-10T02:00:03.618194Z", "deleted_at": null, "main_name": "IRON VIKING", "aliases": [ "APT44 ", "ATK14 ", "BlackEnergy Group", "Blue Echidna ", "CTG-7263 ", "ELECTRUM ", "FROZENBARENTS ", "Hades/OlympicDestroyer ", "IRIDIUM ", "Qudedagh ", "Sandworm Team ", "Seashell Blizzard ", "TEMP.Noble ", "Telebots ", "Voodoo Bear " ], "source_name": "Secureworks:IRON VIKING", "tools": [ "BadRabbit", "BlackEnergy", "GCat", "NotPetya", "PSCrypt", "TeleBot", "TeleDoor", "xData" ], "source_id": "Secureworks", "reports": null }, { "id": "b3e954e8-8bbb-46f3-84de-d6f12dc7e1a6", "created_at": "2022-10-25T15:50:23.339976Z", "updated_at": "2026-04-10T02:00:05.27483Z", "deleted_at": null, "main_name": "Sandworm Team", "aliases": [ "Sandworm Team", "ELECTRUM", "Telebots", "IRON VIKING", "BlackEnergy (Group)", "Quedagh", "Voodoo Bear", "IRIDIUM", "Seashell Blizzard", "FROZENBARENTS", "APT44" ], "source_name": "MITRE:Sandworm Team", "tools": [ "Bad Rabbit", "Mimikatz", "Exaramel for Linux", "Exaramel for Windows", "GreyEnergy", "PsExec", "Prestige", "P.A.S. Webshell", "AcidPour", "VPNFilter", "Neo-reGeorg", "Cyclops Blink", "SDelete", "Kapeka", "AcidRain", "Industroyer", "Industroyer2", "BlackEnergy", "Cobalt Strike", "NotPetya", "KillDisk", "PoshC2", "Impacket", "Invoke-PSImage", "Olympic Destroyer" ], "source_id": "MITRE", "reports": null } ], "ts_created_at": 1775434023, "ts_updated_at": 1775792229, "ts_creation_date": 0, "ts_modification_date": 0, "files": { "pdf": "https://archive.orkl.eu/a2710c18445d5c7af651b96fe114bede96f857b5.pdf", "text": "https://archive.orkl.eu/a2710c18445d5c7af651b96fe114bede96f857b5.txt", "img": "https://archive.orkl.eu/a2710c18445d5c7af651b96fe114bede96f857b5.jpg" } }